Network Working Group L. Law
Request for Comments: 4869 J. Solinas
Category: Informational NSA
May 2007
Suite B Cryptographic Suites for IPsec
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document proposes four optional cryptographic user interface
suites ("UI suites") for IPsec, similar to the two suites specified
in RFC 4308. The four new suites provide compatibility with the
United States National Security Agency's Suite B specifications.
Table of Contents
1. Introduction ....................................................2
2. Requirements Terminology ........................................2
3. New UI Suites ...................................................2
3.1. Suite "Suite-B-GCM-128" ....................................2
3.2. Suite "Suite-B-GCM-256" ....................................3
3.3. Suite "Suite-B-GMAC-128" ...................................4
3.4. Suite "Suite-B-GMAC-256" ...................................5
4. Security Considerations .........................................5
5. IANA Considerations .............................................6
6. References ......................................................6
6.1. Normative References .......................................6
6.2. Informative References .....................................7
Law & Solinas Informational [Page 1]RFC 4869 Suite B Cryptographic Suites for IPsec May 20071. Introduction
[RFC4308] proposes two optional cryptographic user interface suites
("UI suites") for IPsec. The two suites, VPN-A and VPN-B, represent
commonly used present-day corporate VPN security choices and
anticipated future choices, respectively. This document proposes
four new UI suites based on implementations of the United States
National Security Agency's Suite B algorithms (see [SuiteB]).
As with the VPN suites, the Suite B suites are simply collections of
values for some options in IPsec. Use of UI suites does not change
the IPsec protocols in any way.
2. Requirements Terminology
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as described in [RFC2119].
3. New UI Suites
Each of the following UI suites provides choices for ESP (see
[RFC4303]) and for IKEv1 and IKEv2 (see [RFC2409] and [RFC4306]).
The four suites are differentiated by the choice of cryptographic
algorithm strengths and a choice of whether the Encapsulating
Security Payload (ESP) is to provide both confidentiality and
integrity or integrity only. The suite names are based on the
Advanced Encryption Standard [AES] mode and AES key length specified
for ESP.
IPsec implementations that use these UI suites SHOULD use the suite
names listed here. IPsec implementations SHOULD NOT use names
different than those listed here for the suites that are described,
and MUST NOT use the names listed here for suites that do not match
these values. These requirements are necessary for interoperability.
3.1. Suite "Suite-B-GCM-128"
This suite provides ESP integrity protection and confidentiality
using 128-bit AES-GCM (see [RFC4106]). This suite or the following
suite should be used when ESP integrity protection and encryption are
both needed.
ESP:
Encryption AES with 128-bit keys and 16-octet Integrity
Check Value (ICV) in GCM mode [RFC4106]
Integrity NULL
Law & Solinas Informational [Page 2]RFC 4869 Suite B Cryptographic Suites for IPsec May 2007
IKEv1:
Encryption AES with 128-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-256 [RFC4868]
Hash SHA-256 [FIPS-180-2] [RFC4634]
Diffie-Hellman group 256-bit random ECP group [RFC4753]
Group Type ECP
For IKEv1, Phase 1 SHOULD use Main mode. IKEv1 implementations MUST
support pre-shared key authentication [RFC2409] for interoperability.